The Federal Trade Commission (“FTC”) recently issued a report entitled “Data Brokers: A Call for Transparency and Accountability” that identifies various concerns raised by the “Big Data” industry and provides solutions for addressing those concerns. The report focuses on data brokers – entities that collect consumer personal information and share or sell the information to third parties – who are largely invisible to the public. The FTC sought to illuminate the practices of the data broker business where consumer data is bought and sold with no direct consumer interaction. To that end, the FTC ordered nine data brokers, Axciom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf and Recorded Future, to provide information about the way they collect and use data, and how they enable consumers to access and control that data.
In the report, the FTC found that the data brokers have collected over a billion pieces of consumer data from a wide range of commercial, government and public sources. The data brokers create products using this raw data and the inferences made from that data to sell to clients. The FTC separated the products provided by data brokers to their clients into three categories: (1) marketing products; (2) risk mitigation products; and (3) people search products.
• For the risk mitigation products, data brokers provide their clients with the ability to verify a consumer’s identity and determine the existence of any fraudulent activity associated with a consumer. However, data brokers do not typically allow consumers to correct their information.
• A few data brokers also provide websites that enable people searches to obtain publicly available information about consumers. Unlike the marketing and risk mitigation products, data brokers providing people search websites typically allow for consumers to correct information and also allow consumers to opt out of having their information disclosed.
According to the report, the products provided by data brokers benefit consumers in many ways, by allowing businesses to effectively tailor advertisements, improve products, protect consumer identity from fraud and facilitate consumer interaction. However, the agency noted that the practices of some data brokers can also create risk to consumers if the information collected is incorrect, if a consumer is identified in a negative way or segmented based on discriminatory criteria. In addition, the collection of such vast amounts of consumer data create a security risk if that data is held indefinitely.
Call for Congress to Act
Based on its finding, the FTC called on Congress to enact legislation that would require data brokers to give consumers detailed access to their data and allow consumers the ability to opt out of having their data disseminated for marketing purposes. According to the agency, any such legislation should:
1. Enable consumers to identify the data brokers who collect their information, and determine how to access and opt out of the collection of that data, such as through a centralized portal;
2. Require data brokers to disclose how they use raw data and the types of inferences that are made from the raw data;
3. Require data brokers to disclose the sources of data to allow consumers to correct their data if necessary;
4. Ensure that data brokers provide consumers with notice that their data will be shared with data brokers, obtain consent (especially to collect sensitive data such as health information) and the ability to opt out of having their data shared with data brokers; and
5. Identify when a company uses risk mitigation products to limit a consumer’s ability to complete a transaction, especially where it adversely impacts a consumer’s ability to obtain certain benefits.
Outside of congressional action, the FTC also recommends that companies institute best practices, such as implementing privacy-by-design (considering privacy issues at every stage of product development) and refraining from collecting information from minors. Data brokers should also take steps to ensure that others who use the data they gather do not use it for eligibility determinations or to unlawfully discriminate.
The FTC report sheds light on the data brokerage industry and calls for legislation to protect consumers. So far, Congress has been slow to enact any data privacy legislation despite recent high profile consumer data breaches. However, momentum is building. The White House issued a report last month that focuses on how companies gather and use data online about individuals, and how those practices could be used to discriminate against certain groups. And at least one bill – the Data Broker Accountability and Transparency Act of 2014 – has been introduced by Senators John Rockefeller (WV) and Edward Markey (MA) that would require data brokers to disclose their efforts and provide consumers with options to control their information.
Even in the absence of clear direction by Congress, the FTC’s enforcement authority should compel any company that collects consumer data to heed the FTC’s recommendations, not just data brokers. As the FTC has shown, when it issues guidance on data privacy issues it will take action against companies that do not comply. At a minimum, companies collecting consumer data should ensure that their customers are notified that their data may ultimately be sold to data brokers, obtain consent and provide them with the opportunity to opt out of such disclosure. Doing so will ensure that companies meet the FTC’s consumer data use and collection expectations.